In this article

Web Proxy Log Fields

08/13/2010

11 minutes to read

In this article

The following table lists the log fields that can be included in Forefront TMG Web proxy log entries by setting the corresponding character in the string held in the LogFieldSelectionString property of the FPCLog object for Web proxy logging.

The bit numbers listed in this table, which are based on the numbering system that was used in the LogFieldSelection property, correspond to the zero-based numbers of the characters in the string held in the LogFieldSelectionString property.

The account of the user making the request. A question mark (?) next to the user name indicates that the user name was sent but the user was not authenticated by Forefront TMG. If Forefront TMG access control is not being used, Forefront TMG uses Anonymous.

2

Client Agent

ClientAgent

c-agent

The name and version of the client application sent by the client in the HTTP User-Agent header. When Forefront TMG is actively caching, this field is set to Forefront TMG.

3

Authenticated Client

ClientAuthenticate

sc-authenticated

A value that indicates whether the client has been authenticated with the Forefront TMG computer. Possible values are Y and N.

4

Log Date

logTime

date

The date on which the logged event occurred. In the SQL Server Express format, both the date and the local time are included in the single logTime field, and the bits for both the date and time fields must be set.

5

Log Time

logTime

time

The local time when the logged event occurred. In the W3C extended file format and in ODBC-compliant SQL Server databases, this time is in Coordinated Universal Time (UTC). In the SQL Server Express format, both the date and the local time are included in the single logTime field, and the bits for both the date and time fields must be set.

6

Service

service

s-svcname

The name of the service that is logged. For example, fwsrv indicates the Microsoft Firewall service.

7

Server Name

servername

s-computername

The name of the Forefront TMG computer. This is the computer name assigned in Windows Server 2008.

8

Referring Server

referredserver

cs-referred

The URL of the resource that supplied the requested URL to the client, as indicated in the Referrer header of the request.

9

Destination Host Name

DestHost

r-host

The domain name for the remote computer that provides service to the current connection. A hyphen (-) in this field may indicate that an object was retrieved from the local cache and not from the destination.

10

Destination IP

DestHostIP

r-ip

The network IP address of the remote computer that provides service to the current connection. A hyphen (-) in this field may indicate that an object was sourced from the local cache and not from the destination. One exception is negative caching. In that case, this field contains a destination IP address for which a negative cached object was returned.

11

Destination Port

DestHostPort

r-port

The reserved port number on the remote computer that provides service to the current connection. This is used by the client application initiating the request.

12

Processing Time

processingtime

time-taken

The total time, in milliseconds, that is needed by Forefront TMG to process the current connection. It measures the time elapsed from the time when the server first receives the request to the time when final processing occurs on the server—when results are returned to the client and the connection is closed.

For cache requests that are processed through the Forefront TMG Web proxy, the processing time measures the elapsed server time needed to fully process a client request and return an object from the server cache to the client.

13

Bytes Received

bytesrecvd

cs-bytes

The number of bytes sent from the remote computer and received by the client during the current connection. A hyphen (-), a zero (0), or a negative number in this field indicates that this information was not provided by the remote computer or that no bytes were received from the remote computer.

14

Bytes Sent

bytessent

sc-bytes

The number of bytes sent from the client to the remote computer during the current connection. A hyphen (-), a zero (0), or a negative number in this field indicates that this information was not provided by the remote computer or that no bytes were sent to the remote computer.

15

Protocol

protocol

cs-protocol

The application protocol used for the connection. Common values are http for Hypertext Transfer Protocol, https for Secure HTTP, and ftp for File Transfer Protocol.

16

Transport

transport

cs-transport

The transport protocol used for the connection. Common values are TCP and UDP.

17

HTTP Method

operation

s-operation

The HTTP method used. Common values are GET, PUT, POST, and HEAD.

18

URL

uri

cs-uri

The URL requested.

19

MIME Type

mimetype

cs-mime-type

The MIME type for the current object. This field may also contain a hyphen (-) to indicate that this field is not used or that a valid MIME type was not defined or supported by the remote computer.

20

Object Source

objectsource

s-object-source

The type of source that was used to retrieve the current object. A table of some possible values is provided in Object Source Values.

21

HTTP Status Code

resultcode

sc-status

A Windows (Win32) error code (for values less than 100), an HTTP status code (for values between 100 and 1,000), a Winsock error code (for values between 10,004 and 11,031), or a Forefront TMG error code. A table of some possible values is provided in Result Code Values. For more information about Forefront TMG error codes, see Error Codes.

22

Cache Information

CacheInfo

s-cache-info

A number reflecting the cache status of the object, which indicates the reasons why the object was or was not cached. The number logged is the sum of the values for all the conditions that are met. A table of the possible values is provided in Cache Information Values.

23

Rule

Rule

rule

The rule that either allowed or denied access to the request, as follows:

If an outgoing request was allowed, this field indicates the access rule that allowed the request.

If an outgoing request was denied by a policy rule, this field indicates the access rule that blocked the request.

If an incoming request was denied by a policy rule, this field indicates the Web publishing or server publishing rule that denied the request.

If Forefront TMG denied the connection for any reason other than a policy rule, this field contains a hyphen (-), and the Result Code field indicates the reason.

24

Filter Information

FilterInfo

FilterInfo

Information supplied by a Web filter. For example, if HTTP Filter rejected a request, this field contains the reason for the rejection.

25

Source Network

SrcNetwork

cs-network

The network from which the request originated.

26

Destination Network

DstNetwork

sc-network

The network to which the request was sent.

27

Error Information

ErrorInfo

error-info

A 32-bit bitmask that provides additional information about the request that can help identify the source of the error if an error occurred. A table of the possible bit fields is provided in Error Information Bit Fields.

28

Action

Action

action

The action performed by the Microsoft Firewall service for the current session or connection. The possible values are defined in the FpcAction enumerated type. Note that strings representing these values are displayed in the log viewer.

29

GMT Log Time

GmtLogTime

GMT Time

The date and time in Coordinated Universal Time (UTC) when the log entry was made.

30

Authentication Server

AuthenticationServer

AuthenticationServer

The name of the LDAP server or RADIUS server that was used for authentication.

31

NIS Scan Result

ipsScanResult

NIS scan result

The Network Inspection System (NIS) scan result. The possible values are defined in the FpcIpsScanResult enumerated type. Note that strings representing these values are displayed in the log viewer.

32

NIS Signature

ipsSignature

NIS signature

The NIS signature detected or used as a basis for blocking the traffic.

33

Threat Name

ThreatName

ThreatName

The name of the threat found by malware inspection.

34

Malware Inspection Action

MalwareInspectionAction

MalwareInspectionAction

The type of action performed on an HTTP response during malware inspection. The possible values are defined in the FpcMalwareInspectionAction enumerated type. Note that strings representing these values are displayed in the log viewer.

35

Malware Inspection Result

MalwareInspectionResult

MalwareInspectionResult

The reason for the action performed on an HTTP response during malware inspection. The possible values are defined in the FpcMalwareInspectionActionReason enumerated type. Note that strings representing these values are displayed in the log viewer.

36

URL Category

UrlCategory

UrlCategory

The URL category.

37

Content Delivery Method

MalwareInspectionContentDeliveryMethod

MalwareInspectionContentDeliveryMethod

The content delivery method used during malware inspection. The possible values are defined in the FpcMalwareInspectionContentDeliveryMethod enumerated type. Note that strings representing these values are displayed in the log viewer.

38

UAG Array Id

UagArrayId

mi-uagarrayid

The Forefront Unified Access Gateway (UAG) array identifier.

39

UAG Version

UagVersion

sc-uagversion

The Forefront UAG version number.

40

UAG Module Id

UagModuleId

mi-uagmoduleid

The identifier of the Forefront UAG module.

41

UAG Id

UagId

sc-uagid

The Forefront UAG identifier.

42

UAG Severity

UagSeverity

mi-uagseverity

The Forefront UAG array identifier.

43

UAG Type

UagType

mi-uagtype

The Forefront UAG type.

44

UAG Event Name

UagEventName

sc-uageventname

The identifying number of the Forefront UAG event.

45

UAG Session Id

UagSessionId

mi-uagsessionid

The Forefront UAG session identifier.

46

UAG Trunk Name

UagTrunkName

mi-uagtrunkname

The name of the Forefront UAG trunk.

47

UAG Service Name

UagServiceName

mi-uagservicename

The name of the Forefront UAG service.

48

UAG Error Code

UagErrorCode

sc-uagerrorcode

The Forefront UAG error code.

49

Malware Inspection Duration (msec)

MalwareInspectionDuration

MalwareInspectionDuration

The time, in milliseconds, needed to inspect the content of an HTTP response for malware.

50

Threat Level

MalwareInspectionThreatLevel

MalwareInspectionThreatLevel

The threat level of malware detected during malware inspection. The possible values are defined in the FpcMalwareInspectionThreatLevel enumerated type. Note that strings representing these values are displayed in the log viewer.

51

Internal Service Info Log Fields

InternalServiceInfo

internal-service-info

The information generated by internal services.

52

NIS Application Protocol

ipsApplicationProtocol

NIS application protocol

The application protocol in which NIS detected the signature.

53

NAT Address

NAT Address

NAT Address

The public NAT IP address used as the source IP address for outbound traffic.

54

URL Categorization Reason

UrlCategorizationReason

UrlCategorizationReason

The reason for the URL categorization. The possible values are defined in the FpcUrlCategorizationReason enumerated type. Note that strings representing these values are displayed in the log viewer.

55

Session Type

SessionType

SessionType

The type of session. The possible values are defined in the FpcSessionType enumerated type. Note that strings representing these values are displayed in the log viewer.

56

URL Destination Host Name

UrlDestHost

UrlDestHost

The destination host name in the URL.

57

Source Port

SrcPort

s-port

The source port.

58

Soft Blocking Rule

SoftBlockAction

SoftBlockAction

The name of the first matching deny rule that can be overridden by the user.

Object Source Values

Source values

Description

0

No source information is available.

Cache

Source is the cache. Object returned from cache.

Internet

Source is the Internet. Object added to cache.

Member

Object returned from another array member.

Not Modified

Source is the cache. Client performed an If-Modified-Since request, and object had not been modified.

Not Verified Cache

Source is the cache. Object could not be verified to source.

Upstream

Object returned from an upstream proxy cache.

Verified Cache

Source is the cache. Object was verified to source and had not been modified.

Verify Failed Internet

Source is the Internet. Cached object was verified to source and had been modified.

Result Code Values

Value

Description

0

The operation completed successfully.

200

OK.

201

Created.

202

Accepted.

204

No content.

301

Moved permanently.

302

Moved temporarily.

304

Not modified.

400

Bad request.

401

Unauthorized.

403

Forbidden.

404

Not found.

500

Server error.

501

Not implemented.

502

Bad gateway.

503

Out of resources.

995

Operation aborted.

10060

A connection timed out.

10061

A connection was refused by the destination host.

10065

No route to host.

11001

Host not found.

12217

The request was rejected by HTTP Filter.

Cache Information Values

Value

Description

0x00000001

Request should not be served from the cache.

0x00000002

Request includes the IF-MODIFIED-SINCE header.

0x00000004

Request includes one of these headers: CACHE-CONTROL:NO-CACHE or PRAGMA:NO-CACHE.

0x00000008

Request includes the AUTHORIZATION header.

0x00000010

Request includes the VIA header.

0x00000020

Request includes the IF-MATCH header.

0x00000040

Request includes the RANGE header.

0x00000080

Request includes the CACHE-CONTROL: NO-STORE header.

0x00000100

Request includes the CACHE-CONTROL: MAX-AGE, or CACHE-CONTROL: MAX-STALE, or CACHE-CONTROL: MIN-FRESH header.

0x00000200

Cache could not be updated.

0x00000400

IF-MODIFIED-SINCE time specified in the request is newer than cached LASTMODIFIED time.

0x00000800

Request includes the CACHE-CONTROL: ONLY-IF-CACHED header.

0x00001000

Request includes the IF-NONE-MATCH header.

0x00002000

Request includes the IF-UNMODIFIED-SINCE header.

0x00004000

Request includes the IF-RANGE header.

0x00008000

More than one VARY header.

0x00010000

Response includes the CACHE-CONTROL: PUBLIC header.

0x00020000

Response includes the CACHE-CONTROL: PRIVATE header.

0x00040000

Response includes the CACHE-CONTROL: NO-CACHE or PRAGMA: NO-CACHE header.

0x00080000

Response includes the CACHE-CONTROL: NO-STORE header.

0x00100000

Response includes either the CACHE-CONTROL: MUST-REVALIDATE or CACHE-CONTROL: PROXY-REVALIDATE header.

0x00200000

Response includes the CACHE-CONTROL: MAX-AGE or S-MAXAGE header.

0x00400000

Response includes the VARY header.

0x00800000

Response includes the LAST-MODIFIED header.

0x01000000

Response includes the EXPIRES header.

0x02000000

Response includes the SET-COOKIE header.

0x04000000

Response includes the WWW-AUTHENTICATE header.

0x08000000

Response includes the VIA header.

0x10000000

Response includes the AGE header.

0x20000000

Response includes the TRANSFER-ENCODING header.

0x40000000

Response should not be cached.

Error Information Bit Fields

Value

Descriptive code

Description

0x00000001

ERROR_INFO_IO_RECV_FROM_CLIENT

An error occurred during the receipt of packets from the client.

0x00000002

ERROR_INFO_IO_SEND_TO_CLIENT

An error occurred during the sending of packets to the client.

0x00000004

ERROR_INFO_IO_SEND_TO_SERVER

An error occurred during the sending of packets to the server.

0x00000008

ERROR_INFO_IO_RECV_FROM_SERVER

An error occurred during the receipt of packets from the server.

0x00000010

ERROR_INFO_DEST_IS_MEMBER

-

0x00000020

ERROR_INFO_CLIENT_IS_MEMBER

-

0x00000040

ERROR_INFO_DURING_CONNECT

An error occurred during the establishment of a connection.

0x00000080

ERROR_INFO_CLIENT_KA

A Keep-Alive connection was established with the client.

0x00000100

ERROR_INFO_SERVER_KA

A Keep-Alive connection was established with the upstream server.

0x00000200

ERROR_INFO_REQUEST_HAS_BODY

The request from the client includes a body (with a nonzero content length).

0x00000400

ERROR_INFO_RESPONSE_HAS_BODY

The response received from the server includes a body (with a nonzero content length).